tag:blogger.com,1999:blog-2471378914199150966.post6076789942490835317..comments2013-05-07T10:04:01.724-07:00Comments on Chromium Blog: Security in Depth: Local Web PagesGoogle Blogsnoreply@blogger.comBlogger28125tag:blogger.com,1999:blog-2471378914199150966.post-65893964227465899972012-10-21T05:37:52.426-07:002012-10-21T05:37:52.426-07:00How does same folder name is not same origin? Goog...How does same folder name is not same origin? Google chrome blocks local applications (a help directory served via local files). What is problem with accessing same folder or sub folders on file api? Telling every user to start with extra command line (oh thats funny, an information bar is complicated for user, but giving command line is not !!)Akash Kavahttps://www.blogger.com/profile/00483741642103369100noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-8063913629209079502011-10-03T22:11:09.460-07:002011-10-03T22:11:09.460-07:00This was not a big problem for me and our intranet...This was not a big problem for me and our intranet system. <br /><br />It is rarely needed that we need to follow a file:// link, so I simply instituted the policy that when you need a file:// link (usually to get direct access to a users folders via file manager) you just right click and copy the link and paste it into the file managers address field and it takes you where you need to go.<br /><br />Chrome breaks this simple work around, because I cannot right-click copy link address on file:// links. <br /><br />I wish Google would do something about that little quirk.Kapten Haddockhttps://www.blogger.com/profile/15565175795553003370noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-28861916833396522302011-09-01T17:43:01.465-07:002011-09-01T17:43:01.465-07:00I mostly agree with the general &quot;stop patroni...I mostly agree with the general &quot;stop patronizing us&quot; chorus. There is no reason a web application in my file system shouldn&#39;t have the same access to my computer as any other program.<br /><br />The key here is to distinguish between &quot;web applications&quot; and &quot;web pages&quot;. I totally agree that a downloaded web page should have very little access, if any.<br /><br />However, an web *application* should have full access. How to distinguish between the two - well, how about a pop-up that warns the user when a local page requests access ? The browser would then remember the decision, in quite the same way that the Windows firewall asks confirmation before allowing a program to reach out to the internet.jpgygax68https://www.blogger.com/profile/08953611692815904010noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-12801272620233044232010-06-08T12:01:04.080-07:002010-06-08T12:01:04.080-07:00This is very sad. I work on JavaScriptMVC and it&#...This is very sad. I work on JavaScriptMVC and it&#39;s very nice when the getting started app that makes XHR requests to client-side templates and mock Ajax data works. This blows that up.justin meyerhttps://www.blogger.com/profile/17198705998449778167noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-63604957355449507842010-05-21T12:12:10.682-07:002010-05-21T12:12:10.682-07:00I am looking for more secured page/Raid RecoveryI am looking for more secured page/<a href="http://www.advancedraidrecovery.co.uk" rel="nofollow">Raid Recovery</a>Hellohttps://www.blogger.com/profile/06244323837033123597noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-14025392575544997322010-05-18T06:29:21.172-07:002010-05-18T06:29:21.172-07:00A tip for anyone reading this article (because I t...A tip for anyone reading this article (because I took me ages to find out):<br /><br />The Chrome security policy was made MUCH MORE restrictive than Firefox&#39;s. Now the privileges of local web pages all fully restricted, with NO access to local files, even if they live at the same directory.<br /><br />The announce: http://googlechromereleases.blogspot.com/2010/02/dev-channel-update_24.html<br /><br />&quot;Notable behavior change: every HTML document hosted on a local file:// URI now lives in a unique domain. Old behavior can be re-enabled with the new flag --allow-file-access-from-files. For a cross-browser discussion on background, please see http://blog.chromium.org/2008/12/security-in-depth-local-web-pages.html&quot;<br /><br />The discussion: Issue 4197 http://code.google.com/p/chromium/issues/detail?id=4197<br /><br />The code changes: http://codereview.chromium.org/648003Aurélio Jargashttps://www.blogger.com/profile/14623429097044804992noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-21929739276354370032010-04-20T00:50:57.446-07:002010-04-20T00:50:57.446-07:00Keep making Chrome more secure, and it will behave...Keep making Chrome more secure, and it will behave exactly as if it weren&#39;t installed at all. My biblekjv.com site has a King James Version of the Bible that either can be viewed on line, or can be downloaded as a zip file for use on a local computer. The downloaded version is identical in every way to the on-line version. It attempts to conform to W3C standards, and it works very well in IE, Firefox, Opera, and I think Safari. Chrome 5.0.342.9 handles very well the on-line version, but fails miserably to reproduce the local-file version. V. 4.xx was slightly better. Anyone who downloads a virus deserves what he/she/it gets. <b>STOP PATRONIZING US!</b> John HollandJohnhttps://www.blogger.com/profile/10214619706256987561noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-69856578632014399402010-03-17T11:29:41.336-07:002010-03-17T11:29:41.336-07:00Microsoft’s marketing department wants the public ...Microsoft’s marketing department wants the public to believe that IE and Windows are profoundly innovative<br /><a href="http://www.easyrecovery.ie/" rel="nofollow">Hard Drive Recovery</a>Bay area shirtshttps://www.blogger.com/profile/16712848508559375640noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-60371051356993723142010-02-24T12:14:41.023-08:002010-02-24T12:14:41.023-08:00Ah nevermind, forgot about the every-file-is-a-dom...Ah nevermind, forgot about the every-file-is-a-domain thing.<br /><br />That&#39;s going to break a lot of offline HTML help files that use frames...The MAZZTerhttps://www.blogger.com/profile/13972584846929782892noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-18078189119971066982010-02-24T12:13:45.726-08:002010-02-24T12:13:45.726-08:00Hmm, you say you aren&#39;t blocking locally read ...Hmm, you say you aren&#39;t blocking locally read files ATM, but reading local files using both frames and XMLHttpRequest is failing...The MAZZTerhttps://www.blogger.com/profile/13972584846929782892noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-3390568549645902452009-09-21T10:34:56.227-07:002009-09-21T10:34:56.227-07:00Nice blog...
family treeNice blog...<br /><a href="http://www.tribalpages.com" rel="nofollow">family tree</a>Search Engine Optimization Expert SEO Indiahttps://www.blogger.com/profile/05192221598955832237noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-68866272248513980622009-01-19T02:34:00.000-08:002009-01-19T02:34:00.000-08:00thanks ............................منتديات الابداع...thanks ..<BR/><BR/>..........................<BR/>منتديات الابداع و التميز<BR/>www.ebdaa.yoo7.comahmeeeedhttps://www.blogger.com/profile/10544679269788899150noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-53059409511729781022009-01-08T14:50:00.000-08:002009-01-08T14:50:00.000-08:00This should be a user selectable option which can ...This should be a user selectable option which can be enabled per-site ala Firefox. <BR/><BR/>Chrome is off to a nice start, but if the Dev team takes the Apple approach in deciding what is-or-isn't good for the user this browser won't last.Vladimirhttps://www.blogger.com/profile/09212029782954482812noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-46173026640155320342008-12-09T02:55:00.000-08:002008-12-09T02:55:00.000-08:00"You don't want a local web page to be able to XHR..."You don't want a local web page to be able to XHR to intranet sites protected by the firewall" - again, this is sometimes actually a very useful capability, enabling mashups between intranet and internet data.Jermhttps://www.blogger.com/profile/14929706009154092243noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-74841290025638629682008-12-08T23:48:00.000-08:002008-12-08T23:48:00.000-08:00@jnthnlstrThat's a good point. There are a number...@jnthnlstr<BR/><BR/>That's a good point. There are a number of different credentials we'd have to be careful about removing (like HTTP Auth, etc). The main credential that's hard to remove is the user's IP address. For example, if the user is behind a firewall, you don't want a local web page to be able to XHR to intranet sites protected by the firewall.Adamhttps://www.blogger.com/profile/02795896824301825874noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-33052533029631781802008-12-07T10:58:00.000-08:002008-12-07T10:58:00.000-08:00Consideration of how a browser treats cookies is p...Consideration of how a browser treats cookies is part of this. At the moment, the major browsers have different behaviours when it comes to deciding whether or not to submit cookies set by remote websites e.g. when you are making a cross-domain XHR request, permitted because you are on a local file:/// url.<BR/><BR/>For example, Firefox 3 submits all cookies that have been set by remote website, regardless of where the XHR is directed. Conversely, Safari 3 will not submit any cookies to the remote system.<BR/><BR/>A sensible decision about how to treat remote cookies could prevent attacks such as the one described in the main post, since if the local file did not send the GMail session cookie, GMail would not think you were logged in.jnthnlstrhttps://www.blogger.com/profile/12781957539614137812noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-26251880700282251562008-12-06T23:03:00.000-08:002008-12-06T23:03:00.000-08:00I've never known something like that. woowI've never known something like that. woowDavid Fetcherhttps://www.blogger.com/profile/03158638718711977271noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-47251888998735579592008-12-06T16:22:00.000-08:002008-12-06T16:22:00.000-08:00Html documents using Javascript whether on a hard ...Html documents using Javascript whether on a hard drive or cd/dvd data disc provide an important source for archived materials, special interest documentation, and other massive collections of information.<BR/><BR/>Not everyone wants their data pulled from a cloud, or even wants to be connected to the internet to access information.<BR/><BR/>Microsoft cripples this type of information by warnings and the inability of the user to specifically okay a local information source.<BR/><BR/>For Chrome to follow Microsoft's lead denies the user the full use of his/her computer. Or else forces the information producer to create an 'install' application, which traditionally has limited longevity, meaning the data may not be accessible in the future.<BR/><BR/>At the moment Chrome, Firefox, Opera, and Safari allow collections of local html data with javascript functions (search, etc.) to run on a local machine. This is the case on Windows/OSX/Linux. Only Internet Explorer goes into panic mode when it encounters javascript.<BR/><BR/>Hopefully the concept of simply shutting down local web pages can be refined in some manner so that the html document producer and the user can interact to approve the use of specific collections of local documents in the same way they agree to a software install.<BR/><BR/>Without this, the user's computer becomes simply a web browser, ironically allowing a document sent from a server to run on the local machine while banning the same document if it resides on the hard drive or other local media.Richardhttps://www.blogger.com/profile/06244019343122719373noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-1873210137402058882008-12-06T09:27:00.000-08:002008-12-06T09:27:00.000-08:00Why not turn on the fiercest security you can, and...Why not turn on the fiercest security you can, and then have it Administrator-only change-able. <BR/><BR/>That way, if Chrome needs to be used in a more permissive local environment due to whatever a network/project/company needs, and has adequate security set up around the permissive area, the Administrator can control the level of local security run by Chrome, to an extent. <BR/><BR/>Then have security graduated - i.e.<BR/>1. yes, let me run javascript locally<BR/>2. yes allow locally run webpages to communicate outside my computer<BR/>3. so, don't allow localy run webpages to communicate outside my local network<BR/>4. if two and three are yes, warn me when a local page tries to access the internet<BR/>5. yes, please block any non-local access if it is done without direct user interaction<BR/><BR/>Otherwise, the only real thing that happens is when people need to use a browser in these situations, is they'll either use a competitor or run a local webserver to host their files and then open up a whole different nest of security issues, or have to upload their files to a website, slowing down productivity. <BR/><BR/>If javascript was off while I was trying to develop webpages, I'd be back to FireFox in a microsecond. It's a pain-in-the-ass enough to develop for the web (sorry, not using the GWT yet) without having to upload files to a server every time just to make sure your onmouseover works right. And I've been using Chrome since the release day, despite all it's (now mostly fixed) shortcomings, because of it's speed and UI philosophy.sainthttps://www.blogger.com/profile/04979619362890027431noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-9679432441781937012008-12-05T21:05:00.000-08:002008-12-05T21:05:00.000-08:00@devaka: Thanks for reporting that bug. I've file...@devaka: Thanks for reporting that bug. I've filed it as<BR/><BR/>http://code.google.com/p/chromium/issues/detail?id=5204Adamhttps://www.blogger.com/profile/02795896824301825874noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-11173864315376652572008-12-05T16:46:00.000-08:002008-12-05T16:46:00.000-08:00See, the way i would do it is edit the HTML of the...See, the way i would do it is edit the HTML of the page.<BR/><BR/>If there is a form element, add in some JavaScript that will ask for confirmation to submit the form (show the website in this alert box)<BR/>If you Trust the website, it will save a cookie.<BR/>If you select Trust For Now, it will just submit, no cookie saved.<BR/>If you disallow it, it will deny it and save a cookie.<BR/><BR/>It will have to be designed in a way that it will not interfere with any of the regular functions of the page.<BR/>I guess you could add a "dateTtime" onto the end of a function name, this will make it near impossible for any conflicts.<BR/><BR/>This is just a simplified version of the solution, there would have to be insertions to deal with JavaScript based submissions as well, malformed object submissions, such as loading up pages within images, etc. (and plugins i guess)<BR/><BR/>But the neat thing about this is that this sort of thing would work across all browsers as well. (as long as they have support for basic JavaScript that is.)Hunnterhttps://www.blogger.com/profile/01852482706595290298noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-68892116471588640832008-12-05T10:31:00.000-08:002008-12-05T10:31:00.000-08:002Ian Fette: Now in Google Chrome, when you save ht...<B>2Ian Fette:</B> Now in Google Chrome, when you save html page by clicking right mouse button and "save file as..", it saves html without "mark of the web", I've just checked it out with links on this page. But it works well when you save it from main menu or "ctrl+s".devakahttp://devaka.livejournal.com/noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-48345249000314421952008-12-05T08:16:00.000-08:002008-12-05T08:16:00.000-08:00I don't like all these restrictions for local web ...I don't like all these restrictions for local web pages. Offline web-apps like TiddlyWiki would not be possible as weren't interesting concepts, like drag-and-drop of local files. I created a small example where the user can drag an jpg or png img into a drop region in the webpage and the web page loads the image by its url into a canvas.<BR/>I understand, that there are security problems, when local pages access cross-domain data or send local data to some server. What I don't understand is, why don't you allow the user to decide if he or she trusts the local web page and wants to allow local fille access or cross-domain access. Why make everything impossible and giving no freedom of choice?<BR/>This is a big problem in web technologies: Restricting features without giving the user the choice to allow the problematic features in special cases.Andihttps://www.blogger.com/profile/03389716171069919320noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-26805735626523137902008-12-05T03:33:00.000-08:002008-12-05T03:33:00.000-08:00Firefox allows the user to run local script and re...Firefox allows the user to run local script and read local documents from the path of the document loading, such as XML files.<BR/><BR/>IE7, and Chrome, wont do that if its local. Any ideas if this security policy for allowing JavaScript to read documents relative to the launching website? Such an example would be a JavaScript photo album where the data source is defined by an XML schema.Mohamed Mansourhttps://www.blogger.com/profile/09174807957392611061noreply@blogger.comtag:blogger.com,1999:blog-2471378914199150966.post-63081332426384318502008-12-05T02:16:00.000-08:002008-12-05T02:16:00.000-08:00&gt; ...identify theft.&quot;identity theft&quot; ...&gt; ...identify theft.<BR/><BR/>&quot;identity theft&quot; ?Richard Heyeshttps://www.blogger.com/profile/06709257440350471718noreply@blogger.com